User Guide

• 1: User Guide
• 2: How to Configure
• 2.1: Android
• 2.2: iPhone
• 2.3: Windows
• 2.4: macOS
• 2.5: Browser
• 3: Public Services
• 3.1: Android
• 3.2: iPhone
• 3.3: macOS
• 4: Advanced Features
• 4.1: Blocked Application List
• 4.2: ECS Boosts CDN Access Speed
• 4.3: DDNS Dynamic Resolution
• 4.4: DNS Split-Horizon Configuration Guide
• 4.5: Using Custom Device Names
• 4.6: Faster Request Response
• 4.7: Set Up Trusted Upstream Providers
• 5: Privacy Policy
• 6: Terms of Service

1 - User Guide

Paid Core Services

Basic Features

1. Access logs
2. Blocking logs
3. Statistics
4. Custom upstream
5. Custom filtering rules
6. Custom resolution
7. Allowlist mode

Advanced Features

1. HTTP3 support
2. DDNS support
3. ECS support
4. Split-horizon resolution by ruleset
5. App blocking
6. Time-based rules

Access Logs

View your browsing history; the private service provides 24-hour network access logs.

Blocking Logs

Check which ads and websites have been blocked.

Statistics

The private service provides 24-hour network access statistics so you can understand your browsing habits.

Statistics show which sites are visited most and which are blocked most.

Custom Rules

Create custom rules within the private service to block ads from apps you frequently use or to allow sites you don’t consider ads.

You may need to review the access logs, observe the DNS queries when launching specific apps, and then add corresponding custom rules.

Allowlist Mode

To prevent certain types of sites from being blocked, enable allowlist mode so only specified sites can be accessed.

The allowlist takes precedence over the blocklist; any site on the allowlist will not be blocked. You can add commonly used sites to the allowlist to avoid accidental blocking.

Authoritative Resolution

Support authoritative resolution for enterprise or home devices, mapping specified hostnames to your local IP addresses—no need to memorize IPs.

No domain purchase or filing is required; simply add authoritative resolution rules in the private service.

2 - How to Configure

After the paid service expires,

• The service will be disabled immediately, and attempting to access the admin dashboard will redirect you to the service status page.
• Personal settings will be retained for 7 days; if you do not renew within 7 days, all service data will be permanently deleted.
• Once the service is completely removed, your custom domain will no longer be able to access the service. Remember to update your encrypted DNS settings, otherwise you will be unable to access the Internet.

Need help?

Contact on WeChat private6688
or Send email service1@nullprivate.com
Please describe your issue in detail, and we will respond as soon as possible.

2.1 - Android

Configuration Steps

Device-specific setup instructions:

Xiaomi / Redmi

1. Open Settings
2. Select Connection & Sharing
3. Tap Private DNS
4. Choose Private DNS provider hostname
5. Enter: {xxxxxxxxxxxxxxxx}.adguardprivate.com

Samsung

1. Open Settings
2. Select Connections
3. Tap More connection settings
4. Select Private DNS
5. Enter: {xxxxxxxxxxxxxxxx}.adguardprivate.com

Note: Replace {xxxxxxxxxxxxxxxx} with your dedicated DNS server address.

Verify Configuration

After configuration:

1. The system will automatically validate the DNS connection.
2. “Connected” indicates success.

Troubleshooting

If configuration fails, check:

1. Whether the DNS server address is correct.
2. Whether the network connection is normal.
3. Whether the account is active.

2.2 - iPhone

iOS 14 and above natively support encrypted DNS via DNS over HTTPS (DoH) and DNS over TLS (DoT). You can enable it as follows:

1. Open the built-in Safari browser, go to the NullPrivate backend, Setup Guide → DNS Privacy
2. Download Profile
3. Open Settings on your phone
4. Tap General
5. Tap VPN & Device Management
6. Select your dedicated profile and install it

Configuration Demo

2.3 - Windows

Windows 11

Starting with Windows 11 21H2, native DNS over HTTPS (DoH) is supported. You can enable it as follows:

1. Open Settings
2. Open Network & Internet
3. Open Ethernet
4. Locate DNS server assignment, click Edit
   1. Choose Manual
   2. In Preferred DNS server, enter 120.26.96.167 for IPv4 and 2408:4005:3de:8500:4da1:169e:dc47:1707 for IPv6
   3. DNS over HTTPS (DoH): On (manual template)
   4. In DoH template, enter https://xxxxxxxxxxxxxxxx.adguardprivate.com/dns-query; {xxxxxxxxxxxxxxxx} is your encrypted DNS service username.
   5. Do not check Fallback to plaintext
   6. For the alternate DNS server you can optionally enter 223.5.5.5 (Alibaba Cloud public DNS service), set DNS over HTTPS to Off, and check Fallback to plaintext.

Windows 10 and Earlier

Windows 10 and earlier versions do not support native encrypted DNS, but if you are using a newer browser such as Chrome/Edge or any Chromium-based browser (360, QQ, and other Chinese browsers), you can configure DoH encrypted DNS within the browser. Here are the steps for Chrome:

1. Open Chrome Settings
2. Open Privacy, search, and services
3. Scroll to Security
4. Enable Use secure DNS to specify how to look up the network address for websites
5. In Choose service provider, enter https://xxxxxxxxxxxxxxxx.adguardprivate.com/dns-query; {xxxxxxxxxxxxxxxx} is your encrypted DNS service username.

For other browsers, please refer to their respective settings; generally, the option can be found under Settings → Privacy → Security.

2.4 - macOS

macOS Big Sur and later natively support DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypted DNS. You can enable it as follows:

1. Open the built-in Safari browser and navigate to the NullPrivate service dashboard, Setup Guide → DNS Privacy.
2. Download the profile.
3. Open System Settings.
4. Go to Privacy & Security.
5. Select Profiles.
6. Choose your dedicated profile and install it.

2.5 - Browser

Browser versions based on Chromium 79+ support DoH. Below are the setup steps for Chromium-based browsers (Chrome/Edge/360/QQ, etc.):

1. Open Chrome’s Settings
2. Go to Privacy, search, and services
3. Scroll down to Security
4. Enable Use secure DNS to specify how to look up the network address for websites
5. In Choose service provider, enter https://xxxxxxxxxxxxxxxx.adguardprivate.com/dns-query, where {xxxxxxxxxxxxxxxx} is your username for the dedicated encrypted DNS service.

3 - Public Services

We provide free public services and have curated a set of widely-used domain lists.

Public Service Rules

The public service employs balanced ad-blocking rules; false positives or misses may occur. The rule lists are:

• AdGuard DNS filter
• AdGuard DNS Popup Hosts filter
• CHN: AdRules DNS List
• CHN: anti-AD
• AWAvenue Ads Rule
• WindowsSpyBlocker
• anti-AD
• easylist
• OISD Blocklist Small

Some users configure extra protection for elderly family members, so we also include security-blocking rules:

• HaGeZi’s Threat Intelligence Feeds
• HaGeZi’s Badware Hoster Blocklist

Additionally, the public service includes the following rules to block stubborn ads on certain phones that cannot be removed by conventional means:

# huawei search && browser
hisearch-drcn.dt.dbankcloud.com
uc-drcn.hispace.dbankcloud.cn
connect-drcn.hispace.hicloud.com
adx-drcn.op.dbankcloud.cn
hisearch-static-drcn.dbankcdn.com
||configserver.hicloud.com
||configserver.platform.hicloud.com
||configdownload.dbankcdn.cn
||browsercfg-drcn.cloud.dbankcloud.cn

Usage Notes

Because the public service is intended for the general population, it cannot accommodate personalized needs. Some users complain that ad-blocking is insufficient, while others report that false positives prevent game logins. We apologize that the public service cannot satisfy everyone; content that some view as ads may be useful information to others. In such cases, we tend to prioritize users who consider it useful.

When a false positive prevents WeChat or Alipay mini-programs from loading, simply disable the phone’s encrypted DNS setting temporarily to access the required service. However, based on our operational experience, many users do not know what to do when a service fails to work properly, so we must consider non-technical users’ experience.

Users familiar with DNS who encounter false positives or insufficient blocking should consider purchasing a private service.

Private services offer access logs, blocking logs, statistics, custom rules, authoritative resolution, and more to meet individual needs.

For other common requests,

Need help?

Contact on WeChat private6688
or Send email service1@nullprivate.com
Please describe your issue in detail, and we will respond as soon as possible.

Setup Instructions by Platform

Android

Android has natively supported DNS over TLS (DoT) since Android 9; phones released after 2019 are compatible. Enable it as follows:

1. Open Settings
2. Go to More connections
3. Open Private DNS
4. Choose Private DNS provider hostname and enter: public.adguardprivate.com

Self-hosted DNS can be implemented in many ways (e.g., AdGuard, dnsmasq, clash), but only native DoT has zero impact on phone performance. It requires no third-party apps, no permissions, no resources, and does not affect battery life. Therefore, native DoT encrypted DNS is recommended.

iPhone

iOS 14 and later natively support DNS over HTTPS (DoH) and DNS over TLS (DoT). Enable it as follows:

1. Open Safari, download the profile: dot.mobileconfig
2. Open Settings
3. Go to General
4. Open VPN & Device Management
5. Select Install Profile

macOS

macOS Big Sur and later natively support DNS over HTTPS (DoH) and DNS over TLS (DoT). Enable it as follows:

1. Open Safari, download the profile: dot.mobileconfig
2. Open System Preferences
3. Go to Network
4. Select VPN & Device Management
5. Choose Install Profile

3.1 - Android

Feature Overview

Android 9 and above natively supports DNS over TLS (DoT) encryption, protecting DNS queries from eavesdropping and tampering.

Setup Instructions

The exact menu path differs by brand; below are the steps for the most common manufacturers:

Xiaomi / Redmi

1. Open Settings
2. Select Connection & Sharing
3. Tap Private DNS
4. Choose Private DNS provider hostname
5. Enter: public.adguardprivate.com

Samsung

1. Open Settings
2. Select Connections
3. Tap More connection settings
4. Choose Private DNS
5. Select Private DNS provider hostname
6. Enter: public.adguardprivate.com

OPPO / OnePlus

1. Open Settings
2. Select Wi-Fi & Network
3. Tap Private DNS
4. Choose Private DNS provider hostname
5. Enter: public.adguardprivate.com

Other Brands

Look for the setting via:

• Search for “DNS” or “Private DNS” in Settings
• Check Network settings or Advanced network options

FAQ

How do I verify the configuration?

1. After saving, the system automatically validates the DNS server
2. If you see “Connected” or a checkmark, the setup succeeded

Troubleshooting setup failures

1. Ensure the hostname is entered exactly as shown
2. Verify your network connection is active
3. Confirm your Android version supports DoT (requires Android 9 or higher)

Setup Demo

3.2 - iPhone

Feature Overview

Starting with iOS 14, the iPhone natively supports encrypted DNS features, including:

• DNS over HTTPS (DoH) – encrypts DNS queries via the HTTPS protocol
• DNS over TLS (DoT) – encrypts DNS queries via the TLS protocol

These features effectively protect your network privacy and prevent DNS hijacking.

Configuration Steps

1. Download the Profile

Use Safari to download the profile: dot.mobileconfig

2. Install the Profile

1. Open the Settings app
2. Go to General > VPN & Device Management
3. Select and install the public.adguardprivate.com DoT profile

Special Notes

If you have iCloud Private Relay enabled, you need to:

• Manually turn it off in Settings, or
• Download and install this profile: disable-icloud-private-relay.mobileconfig

⚠️ Security Warning
Be extremely cautious when installing profiles. The profiles provided here are intended solely for legitimate privacy protection and ad-filtering services.
Do not install profiles from unknown sources, as they may compromise your device’s security.

Configuration Demo Video

3.3 - macOS

macOS Big Sur and later natively support DNS over HTTPS (DoH) and DNS over TLS (DoT). You can enable encrypted DNS as follows:

1. Open the built-in Safari browser and download the configuration file: dot.mobileconfig
2. Open System Settings
3. Go to Privacy & Security
4. Select Profiles
5. Under “Downloaded,” choose public.adguardprivate.com DoT to install

Please note that this is an unconventional way to modify system settings. We generally advise iPhone users not to install configuration files from unknown sources unless you are certain of their origin. This site provides legitimate personal-privacy protection and ad-blocking services and will never perform any actions that are harmful or objectionable to users. This disclaimer is intended to remind you that, even if you trust me, you should not readily trust configuration files provided by other websites. I will cover the potential risks of modifying system DNS settings in this manner in another article.

The complete contents of the configuration file are shown below. You can copy the text and paste it into your iPhone’s settings, or simply click the link above to download the file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>PayloadContent</key>
		<array>
			<dict>
				<key>DNSSettings</key>
				<dict>
					<key>DNSProtocol</key>
					<string>TLS</string>
					<key>ServerName</key>
					<string>public.adguardprivate.com</string>
				</dict>
				<key>PayloadDescription</key>
				<string>Configures device to use NullPrivate</string>
				<key>PayloadDisplayName</key>
				<string>public.adguardprivate.com DoT</string>
				<key>PayloadIdentifier</key>
				<string>com.apple.dnsSettings.managed.11b4d48d-8e9b-4e15-b7c1-45cb1c564c99</string>
				<key>PayloadType</key>
				<string>com.apple.dnsSettings.managed</string>
				<key>PayloadUUID</key>
				<string>e9819f0c-250e-49b7-ad89-c0db078c72f0</string>
				<key>PayloadVersion</key>
				<integer>1</integer>
			</dict>
		</array>
		<key>PayloadDescription</key>
		<string>Adds NullPrivate to macOS Big Sur and iOS 14 or newer systems</string>
		<key>PayloadDisplayName</key>
		<string>public.adguardprivate.com DoT</string>
		<key>PayloadIdentifier</key>
		<string>e0b7d7db-e0d1-4bce-bcf4-8ada45d2f5a3</string>
		<key>PayloadRemovalDisallowed</key>
		<false/>
		<key>PayloadType</key>
		<string>Configuration</string>
		<key>PayloadUUID</key>
		<string>0404cb98-3621-4f97-9530-b18288633d40</string>
		<key>PayloadVersion</key>
		<integer>1</integer>
	</dict>
</plist>

4 - Advanced Features

Here we will introduce some advanced usage tips for private services.

4.1 - Blocked Application List

It is important not to confuse this with blacklists, which are usually used to block ads, privacy trackers, malware, etc. The Blocked Application List is for completely preventing the use of specified applications.

It is typically combined with a schedule to build personal habits and avoid addiction. Commonly used for minors’ habit formation—for example, prohibiting social media and games during study hours. It can also be used for adult self-discipline, such as banning social media and games during work hours.

This service provides pre-configured rules based on popular apps in each country. Because popular culture changes and companies evolve, these lists may become outdated, but we are committed to ongoing maintenance.

If you find that an app in the list is not fully blocked, or if you need to add a recently popular app, please contact us and we will handle it promptly.

Need help?

Contact on WeChat private6688
or Send email service1@nullprivate.com
Please describe your issue in detail, and we will respond as soon as possible.

4.2 - ECS Boosts CDN Access Speed

NullPrivate supports ECS, delivering more precise resolution and optimizing your network experience.

What is ECS (Extended Client Subnet)?

ECS (Extended Client Subnet) is a DNS protocol extension that allows a DNS resolver (such as your NullPrivate server) to pass part of the client’s IP address information to the authoritative DNS server. This enables the authoritative server to provide more accurate DNS responses based on the client’s network location.

How ECS Works

1. Traditional DNS Query: Without ECS, the DNS resolver only sends its own IP address to the authoritative DNS server. This forces the authoritative server to make resolution decisions based on the resolver’s location (usually a data center), which can yield sub-optimal results.

2. ECS-enabled DNS Query: When ECS is enabled, the DNS resolver includes a portion of the client’s IP address (the subnet) in the DNS query. For example, if the client’s IP is 203.0.113.45, the resolver might send 203.0.113.0/24 as ECS information.

3. Authoritative Server Response: Upon receiving a query containing ECS information, the authoritative DNS server can use it to select the IP address best suited to the client—typically the server geographically closest to the client.

Benefits of ECS

• Faster Response Times: By directing clients to the nearest server, ECS reduces latency and improves application responsiveness.
• Enhanced User Experience: Faster response times create a smoother, more enjoyable online experience.
• More Effective CDN Usage: Content Delivery Networks (CDNs) can leverage ECS to direct users to the optimal content server, boosting efficiency and lowering costs.
• Bypass Local Resolver Limitations: Some local ISP DNS servers may have issues such as resolution errors or domain hijacking. ECS can bypass these limitations to obtain more accurate resolution results.

Why Use ECS with NullPrivate?

As a private DNS server, NullPrivate can be configured to use upstream DNS servers for domain resolution. With ECS enabled, NullPrivate can pass your client subnet information to those upstream servers, yielding more accurate resolution results.

4.3 - DDNS Dynamic Resolution

What is DDNS?

DDNS (Dynamic DNS) lets you bind a fixed domain name to a dynamic IP address, ideal for home broadband users who need to access internal devices such as NAS units, smart-home controllers, etc.

Features

• Easy to use: Automatic updates with a single script
• Zero extra cost: No need to purchase a domain
• High reliability: Powered by NullPrivate’s DNS infrastructure
• Fast propagation: DNS records take effect instantly after update, no waiting for propagation

Getting Started

You can find the DDNS script download link under Filters -> DNS rewrites.

FAQ

How do I verify it’s working?

Run ping your-domain.name to confirm the domain resolves to your current IP address.

Alternatively, log in to the service dashboard and check Filters -> DNS rewrites.

How do I schedule automatic updates?

Windows Task Scheduler

1. Open Task Scheduler
2. Create a basic task
3. Set the trigger frequency (recommended 15–30 minutes)
4. Choose PowerShell as the program and enter the full script command in the arguments

Linux Cron Job

Add the following to crontab (runs every 15 minutes):

*/15 * * * * /path/to/update_dns.sh https://xxxxxxxx.adguardprivate.com admin:password123 nas.home

Notes

• Keep your username and password secure to avoid leaks
• It’s recommended to add the update script to your system scheduler for automatic execution
• If resolution doesn’t update promptly, check network connectivity and verify credentials

4.4 - DNS Split-Horizon Configuration Guide

DNS Split-Horizon Overview

DNS split-horizon routes resolution requests for different domains to distinct DNS servers, greatly improving network access. A well-designed setup can:

• Accelerate domain resolution
• Increase website stability
• Optimize cross-border access
• Avoid DNS pollution

NullPrivate Split-Horizon Configuration

Basic Example

# Domestic DNS servers
223.5.5.5                                    # Alibaba DNS
2400:3200::1                                 # Alibaba DNS IPv6
public0.adguardprivate.svc.cluster.local    # Private DNS, mainland upstream

# Overseas DNS servers
tls://1.0.0.1                               # Cloudflare DNS
tls://[2606:4700:4700::1001]               # Cloudflare DNS IPv6
public2.adguardprivate.svc.cluster.local    # Private DNS, other upstream

# Split-horizon rules
[/google.com/bing.com/github.com/stackoverflow.com/]tls://1.0.0.1 public2.adguardprivate.svc.cluster.local
[/cn/xhscdn.com/tencentclb.com/tencent-cloud.net/aliyun.com/alicdn.com/]223.5.5.5 2400:3200::1 public0.adguardprivate.svc.cluster.local

Domestic Carrier DNS Servers

China Telecom DNS Servers

China Unicom DNS Servers

China Mobile DNS IPs

Public DNS IPs

Configuration Tips

1. Prefer geographically close DNS servers
2. Configure both IPv4 and IPv6 DNS
3. Set up backup DNS for critical domains
4. Update split-horizon rules regularly
5. Monitor DNS response times

Precautions

• Record original DNS settings before changes
• Avoid untrusted DNS servers
• Periodically verify DNS resolution
• Keep rule lists concise and effective

Proper DNS split-horizon configuration can significantly improve network access. Choose DNS servers and rules according to your actual needs.

References

• Provincial DNS Server List
• Public DNS Lookup

4.5 - Using Custom Device Names

If you use the service’s listening address directly, such as:

• tls://xxxxxxxx.adguardprivate.com
• https://xxxxxxxx.adguardprivate.com/dns-query

the IP shown in the dashboard under Client Rankings will be the cluster IP of the load balancer, which is meaningless to you and prevents differentiating individual devices.

You can identify different devices by extending the hostname or adding a URL path.

• DoT uses the extended-hostname method, e.g. tls://device1.xxxxxxxx.adguardprivate.com
• DoH uses the additional-path method, e.g. https://xxxxxxxx.adguardprivate.com/dns-query/device2

Notes:

• On Android, you do not need the protocol prefix tls://; simply enter device1.xxxxxxxx.adguardprivate.com
• On Apple devices, follow the setup guide: enter the client ID, download the configuration profile, and you’re done—no manual entry required.

All devices on a personal service share the service’s query limit of 30 requests per second.

4.6 - Faster Request Response

Paid users utilize the NullPrivate private service; the DNS request path is as follows:

Based on this path, we can analyze the fastest response strategy.

Local Cache Hit

The fastest response is a local cache hit. Because the local cache operates at the memory level, it is extremely fast—only a few microseconds.

This is controlled by the TTL (time to live) value in the DNS response, typically ranging from minutes to hours, indicating that the query result remains valid during this period and does not need to be queried again.

You can set the minimum TTL value in Control Panel -> Settings -> DNS Settings -> DNS Cache Configuration -> Override Minimum TTL. Increasing this value extends cache duration, allowing the system to use the local cache more frequently. A common TTL value is 600 seconds.

However, since this site also provides filtering capabilities, if a service you need is mistakenly blocked by ad rules, you won’t be able to access it immediately even after temporarily disabling encrypted DNS, because the local cache result has been modified by the filtering rules. Therefore, setting it to 60 seconds is a safer value, ensuring that in rare cases users won’t have to wait too long after disabling encrypted DNS due to false blocks.

NullPrivate DNS Server

Currently, the site uses Alibaba Cloud servers located in Hangzhou, which can meet the low-latency needs of most users in the eastern region. As the business grows, more servers will be added nationwide in the future.

Server Cache Hit

By default, each user is allocated 4 MB of DNS cache. Based on experience, this is sufficient for a household. Allowing users to freely modify this setting may result in forced service termination, so the modification entry for this setting has been disabled.

Upstream DNS Server

Since Alibaba Cloud services are used, upstream DNS services also use Alibaba Cloud DNS, which is very fast, typically returning results within a few milliseconds.

Users have three ways to request upstream DNS servers:

1. Load Balancing: Load balancing is enabled by default, automatically selecting the fastest server to return results.
2. Parallel Requests: The site does not restrict the use of parallel requests.
3. Fastest IP Address: Currently a meaningless setting; the modification entry for this setting has been disabled.

Here’s why the “fastest IP address” is meaningless: the fastest IP must be chosen by the actual device accessing the service. When NullPrivate runs in Hangzhou but the user is in Beijing, NullPrivate considers Hangzhou’s IP address the fastest, but in reality, the user accessing a Beijing service is fastest; choosing Hangzhou’s IP address actually increases latency. Therefore, the modification entry for this setting has been disabled. This setting might be useful in a user’s home network but is meaningless in a public service.

Many factors affect network experience, such as server-side bandwidth, network congestion, server load, and network quality. Choosing the fastest IP address does not guarantee the fastest response speed; latency is only one factor, not the sole factor. To prevent users from misconfiguring and degrading service quality, the modification entry for this setting has been disabled.

Rule Filtering

The most commonly used mode is the blacklist list, where users can choose from preset blacklist lists. Blacklist hits use a hash algorithm; regardless of the number of rules, hit time is O(1), so users need not worry about excessive rule volume causing long hit times.

However, rules are calculated and stored in memory. Each user’s service memory usage is limited to 300 MB, which meets the needs of most users. If a user’s rule volume is too large, it may cause insufficient memory, leading to repeated service restarts and service interruption.

Currently, the site has disabled third-party rules to prevent users from introducing excessive rules. Once better restriction methods are available, third-party rules will be reopened.

Summary

To achieve faster request response, users can:

1. Appropriately increase the minimum TTL value to improve local cache hit rate.
2. Set an appropriate DNS cache size (preset value).
3. Choose the geographically closest city to create a service (pending business expansion).
4. If no overseas access is needed, use load balancing; if overseas access is needed, use parallel requests.
5. Use blacklist rules suitable for yourself, avoiding introducing excessive rules.

4.7 - Set Up Trusted Upstream Providers

When a paid service is created, it defaults to domestic upstream servers that are relatively fast, including Alibaba’s IPv4 and IPv6 as well as DoT services.

Some providers may have resolution errors, resolving certain overseas domains to incorrect IP addresses and causing access failures. A common symptom is the browser reporting a certificate error.

To avoid such resolution errors, you can switch upstream providers and use Cloudflare’s services. When using these services, make sure to adopt DoH or DoT protocols to prevent hijacking.

At the same time, you should disable domestic upstream servers because they are geographically closer and faster, and AdGuard will prefer them.

Simply prepend a # to the IP of the corresponding upstream server to disable it.

After configuration, click Test upstreams to ensure the upstream servers are available, then click Apply once confirmed.

However, using only overseas servers will degrade the experience of domestic apps, because domestic apps usually direct overseas resolutions to specific external servers, which are slower when accessed from within China.

If you only need to avoid resolution errors for commonly used services, you can manually specify a particular resolution address for domains that are incorrectly resolved; unspecified domains will continue to use the default domestic upstream servers.

In the AdGuard dashboard, go to Settings → DNS settings → Upstream DNS servers, add incorrectly resolved domains in the format [/example1.com/example2.com/]tls://1.0.0.1 under Custom DNS servers, then click Save configuration.

public2.adguardprivate.svc.cluster.local is our internally provided resolver without resolution errors, whose upstream is Cloudflare. Compared to users specifying an overseas upstream themselves, it offers faster resolution speeds at the cost of a small delay when domain records are updated. If you have no specialized requirements, you can use this resolver we provide.

If you prefer to use external resolvers such as Cloudflare or Google, you need to specify IP addresses using DoT/DoH. You can refer to the following:

#tls://1.1.1.1
tls://1.0.0.1
tls://[2606:4700:4700::1111]
tls://[2606:4700:4700::1001]
tls://[2606:4700:4700::64]
tls://[2606:4700:4700::6400]
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://[2606:4700:4700::1111]/dns-query
https://[2606:4700:4700::1001]/dns-query
#tls://8.8.8.8
#tls://8.8.4.4
tls://[2001:4860:4860::8888]
tls://[2001:4860:4860::8844]
tls://[2001:4860:4860::64]
tls://[2001:4860:4860::6464]
#https://8.8.8.8/dns-query
#https://8.8.4.4/dns-query
#https://[2001:4860:4860::8888]/dns-query
https://[2001:4860:4860::8844]/dns-query

Addresses commented with # are currently blocked by the firewall and unavailable.

This site fully supports IPv6, which is one of our advantages. You can use IPv6 upstream addresses for more stable resolution speeds.

5 - Privacy Policy

• NullPrivate does not collect any information from users.
• NullPrivate will not share any information about users with third parties.
• NullPrivate provides services using randomly generated usernames and passwords; only the payment order number is linked to the username, and the payment order number does not involve personal information.
• When initiating inquiries via WeChat or email, NullPrivate will learn contact details such as WeChat ID or email address.
• Contact details are used solely for service inquiries; NullPrivate will not proactively send any promotional information to the obtained contact details.
• NullPrivate uses tools like Google Analytics for official website traffic statistics, but does not collect any personal information.
• When diagnosing user issues, NullPrivate will review the runtime logs of the user service, but does not collect any personal information.

6 - Terms of Service

I. Service Content

1. NullPrivate provides DNS-based ad blocking and privacy-protection SaaS services.
2. Services are divided into Trial (time-limited / quota-limited) and Paid versions; see product documentation for functional differences.
3. We reserve the right to adjust service features as technology evolves.

II. Account and Registration

1. No real-name information is required for the Trial version; use random credentials to experience the service.
2. Paid versions must complete order verification via the payment platform.
3. Transferring or sharing account credentials is prohibited.

III. Payment and Refunds

1. The Trial version is a time-limited offer, and prices may change at any time.
2. Paid versions use a prepaid model. No refunds are currently provided.
3. If service interruption exceeds 24 hours due to force majeure, you may apply for service-time compensation.

IV. Privacy Protection

1. We follow the data-processing principles described in the Privacy Policy.
2. Service logs are retained for no more than 30 days and are used only for troubleshooting.
3. All configuration data is transmitted via TLS encryption.

V. User Responsibilities

1. You must not use the service for any illegal activities.
2. Reverse engineering or cracking service protocols is prohibited.
3. Report any security vulnerabilities to us.

VI. Disclaimer

1. We do not guarantee completely uninterrupted or error-free service.
2. We will not be liable for service issues arising from:
   • User equipment or network failure
   • Force majeure (natural disasters, policy changes, etc.)
   • Third-party service (payment platforms, DNS providers, etc.) failure

VII. Amendments

1. Significant changes will be announced on the official website at least 30 days in advance.
2. Continued use of the service constitutes acceptance of the revised terms.

Last Updated: 29 November 2024
Effective Date: 1 December 2024

(Contact us at service1@nullprivate.com if you have any questions.)